Hi, Am 09.10.16 um 09:54 schrieb Pascal Hambourg: > Le 08/10/2016 à 20:09, Florian Pelgrim a écrit : >> >> $ ip route get 2404:6800:400a:800::1012 >> 2404:6800:400a:800::1012 from :: via fe80::1 dev eth0 src >> fe80::d481:11ff:feee:4908 metric 0 > > This does not look like a correct setup to me, unless the router > performs source NAT (yuck!). A link local source address cannot be used > to send packets beyond the link. It was autogenerated by Debian itself. But I configured a statical public IPv6 address. Fun fact is that my provider is really using fe80::1 as default gateway. And I know a lot more who are using the same technic when dealing with IPv6 for customers. > >> So why is conntrack ignoring my icmpv6 traffic? > > Conntrack does not ignore all ICMPv6 traffic. Only some ICMPv6 types are > not tracked because they use multicast which is hard to track. Such > types include part of the NDP protocol (neighbour discovery) : Neighbour > Solicitation, Neighbour Advertisement, Router Solicitation, Router > Advertisement, and a few others. They have the UNTRACKED state. > > Blocking NDP on a broadcast interface breaks IPv6 connectivity. > > Other usual ICMPv6 types such as Echo Request/Reply and error messages > (Destination Unreachable, Packet Too Big, Parameter Problem...) are > tracked as usual. Ah, nice. Thanks. That explains a lot for me now. :) Cheers Flo
Attachment:
signature.asc
Description: OpenPGP digital signature